cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
496
Views
0
Helpful
4
Replies

Lost VPN tunnel between 2 site when internal client use vpn client

chdave
Level 1
Level 1

Currently, we have VPN tunnel connected to remote office using 2 Hotbrick VPN router.

When 1 of the internal computer try to connect another client VPN server using Cisco VPN Client v4.8, it will drop/disable/loss the existing VPN tunnel between us and remote office. The tunnel is still established but no traffice between 2 site. (can't ping at all)

What causes the problem? Hotbrick issue? Cisco VPN client setting or else?

I have no idea what cause the issue. Please help. Thanks in advance.

1 Accepted Solution

Accepted Solutions

Hi,

The problem is that your NAT device will not do the translation properly, and when the 2nd client fires the connections (ISAKMP packets-UDP 500) the port is not transalated, so for the ASA is like the first user is trying to log in again, so it discards the initial connection.

The trick is, as you discovered, to use UDP transaparency.

The problem is that UDP 10000 is not a standard, so you need to check if multiple users will be able to be connected in the same time behind the same NAT.

If not, use the industry standard NAT transparency (UDP 4500). This will need to be configured only on the ASA.

Please rate if this helped.

Regards,

Daniel

View solution in original post

4 Replies 4

scottosan
Level 1
Level 1

Are the hot brick being NAT'd to a public address, or do the outside interfaces have actuall public IP addresses. Also if there is NAT'ing, are the VPN clients being NAT'd to the same public IP

Yes, both hotbrick have NAT with public address

NET1--L_HOTBRICK --INTERNET-- R_HOTBRICK--NET2

L_HOTBRICK AND R_HOTBRICK has VPN tunnel on their public IP.

Local Server on NET2 try to use Cisco VPN Client to connect another location (not NET1 or NET2)

Whenever the Cisco VPN is established, it works fine, but cannot ping tunnel between L_HOTBRICK AND R_HOTBRICK. The tunnel is still established.

Very interesting.. but loss a lot of hair now...

Hmm.. somehow I get it work if I enable the IPSec over UDP and IPSec over UDP Port 10000 on the ASA5510 and check the Transparent Tunneling check box on the VPN clients. Now, both tunnels works.. any idea?

Time to find it out.. Thanks anyway.

Hi,

The problem is that your NAT device will not do the translation properly, and when the 2nd client fires the connections (ISAKMP packets-UDP 500) the port is not transalated, so for the ASA is like the first user is trying to log in again, so it discards the initial connection.

The trick is, as you discovered, to use UDP transaparency.

The problem is that UDP 10000 is not a standard, so you need to check if multiple users will be able to be connected in the same time behind the same NAT.

If not, use the industry standard NAT transparency (UDP 4500). This will need to be configured only on the ASA.

Please rate if this helped.

Regards,

Daniel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: